What Can Be Done About Security of Debit Cards? 511
JumpDrive writes "I have been the victim of (Visa) debit card theft. I do not know where they stole or got the number, but it was used one day on the other side of the country and the next day it was used in Europe until they cleaned out my account. I had been monitoring my account online and immediately went to the bank and filed a claim. I was told at that time it would be 3 to 5 weeks for them to investigate the claim before they could return my money. Recently I tried to make a purchase with a debit card and was told that they couldn't use the card since it wasn't a Visa or MasterCard check card; this led to a discussion of why I no longer have a Visa or MasterCard check card. Which then led to the question of 'What can be done about it?' Currently I have a separate account for debit usage for my personal safety. But I also think that those producing these check cards should be required to advertise the hazards of having one of these cards (not in small print and maybe required in advertisement of these cards, similar to what is required with pharmaceutical drugs on television) and/or that if a debit or check card is issued a separate account should be required for its use, and users informed of the issues of placing all of their money in the same account that their debit card has access to. What other precautionary measures should be required or taken?"
Get a new bank (Score:5, Interesting)
Shop around for a bank that actually values you as a customer. I believe Bank of America will give you your money back within 24 hours. I'm not a fan of theirs but at least they do that for you. I personally use US Bank.
I had a better experience (Score:5, Interesting)
One day I found that my bank account had been cleaned out. There were a massive number of $50 charges from one vendor -- essentially they kept charging $50 until they got a decline. The charges had occurred after 11:00 PM and before 5:00 AM local time, which made me think that time zones were involved.
I called the bank immediately and reported it, had the card frozen but by that time there was only about $20 left.
I did some research from the transaction information -- the company had an address in California that appeared to be fake, an 800 number that was disconnected, and the domain was owned by a different company in Korea.
I printed all this out, took it to the credit union. They had me fill out some forms, and gave me access to some money (I was pretty much broke) while they worked on it.
Within 3 days all my money was returned to me. It's possible that the credit union fronted me the cash while they worked with the authorities -- they never said. But as far as I was concerned, the event was over in less than a week.
Maybe it makes a difference which bank you use. Or maybe it's the difference between a bank and a credit union. I dunno.
I never did figure out how they got my numbers.
Re:What can be done? Nothing. (Score:2, Interesting)
You don't have to check your bank balance daily—just make sure you don't lose the physical card, and review your monthly statements. You would have to do just as much for a credit card.
You are liable for the amount (on a sliding scale) if you don't report the theft within two days. If some waiter skims your debit card's stripe at a restaurant, you will not even know a copy was made, but you are just as liable as if the card were physically stolen. If you check it monthly, that gives the thieves up to 28 days to steal from your account; more than enough time to drain it dry. The only realistic chance you would have of noticing it early is if you get an unexpected NSF while using your card.
We've lost sight of something important here... (Score:3, Interesting)
The whole point of a bank (at least originally) was to keep money safe by making it difficult to access. Through the years we have demanded that banks make it easier and more convenient to access our money, and now we are paying the price. Security and convenience are inversely proportional to one another. It is a mystery to me why we, as a civilization can't seem to grasp this basic concept.
Re:just use a CREDIT card (Score:2, Interesting)
Casual debit card fraud in Canada is pretty limited. Credit cards have better protection *after* a complaint has been logged. I've heard co-workers in nearby cubicles spout out all the information on their credit card, and I may already know their home address. Within a half hour I could ship a dozen toilet seats to their house, or go on an iTunes shopping spree for myself, with only a Hotmail and an IP address log to find me. If the whole office shares an external IP, good luck tracing it to the department laptop I borrowed during coffee break. (Note: risk-management is part of my job)
These days convincing credit companies NOT to raise my credit limit is hard. If I want to limit my debit liability, I simply don't put excess cash or overdraft into the accounts linked to my card. No money, no cry.
The newsworthy cases of debit fraud involve compromised card readers or fake fronted ATMs. That is serious effort. To use debit, you have to have a card in hand. If I have your debit card number and your PIN written down, that won't even buy me a pizza. You can't use them over the phone, so a fraudster has to be well equipped by recreating fake cards, or tapping into financial networks. This is why they're adding chips to debit cards now. [theglobeandmail.com]
For all the millions that Interac reimburses to fraud victims, it's a tiny drop in the bucket for the total amount of transactions every year in Canada. For one, banks can set daily AND transactional withdrawal limits with Interac, just as they can for their ATMs. Hard to steal 5,000 if it takes a week. Why don't we mind? Canada isn't Japan, it's unlikely the average person walking around has over a grand in cash on them. We love debit.
Businesses love debit too. Less fees than Visa in many cases. Same-as-cash, so grocery stores will gladly give you cash back. No issues with charge backs. There are much fewer Canada-wide banks, so Interac-by-email is a viable option. Think Paypal but with actual bank protections for the buyer.
I'm really not sure who decided that giving Visa the ability to create debit cards was a good idea.
Re:Get a credit card (Score:5, Interesting)
I saw a news show recently reporting that lots of crooks have been breaking in to stores to steal the hard drives out of the cash registers. Lots of the registers store your debit/credit card information unencrypted and criminals can recover and use tit. One more reason I always use cash for minor purchases.
Re:What can be done? Nothing. (Score:5, Interesting)
One thing to watch out for is being fobbed off by banks. Standard law for credit or debit cards is the onus is upon the seller to prove that you made the purchase not upon you to prove you didn't. If your bank wants to take a few weeks to resolve it immediately complain to your regulatory authority, the bank can take a few weeks to resolve it with the seller, not with you. Once you have made the formal claim for a stop payment it should be resolved in a couple of days, if your bank does not support you in this, it is time to change banks.
The reality the person who used your credit or debit cards details, did not steal from you, the seller with the assistance of the credit or debit card company stole from you, they should be required by law to prove that charge in fact did occur, that they were defrauded and that they attempted to defraud you in error.
The lie being spread by mass media, to suit their advertisers the credit card companies and the merchants is a lie, that the money was stolen from your by the thief that used the card details. Your money was stolen by the merchant who claimed you made the purchase, once you have made the complaint, the police should pursue the merchant who by law should prove they did not just attempt to defraud you, that someone defrauded the merchant has absolutely nothing to do with you and at no time should be considered your problem.
Verbal checks (Score:2, Interesting)
I'm wondering what the risks are in using verbal checks (paperless ACH transfers). I pay my monthly electricity bill that way since my power company adds a "convenience charge" for using a credit card. As far as I know, the only thing needed for a verbal check is the account number and bank routing number. What's to stop anyone who knows the account number from issuing a verbal check to themself? The routing number for any bank is available online or by calling the bank. If I dispute a verbal check is the bank required to reverse the charge?
Re:What can be done? Nothing. (Score:3, Interesting)
Why, because if you provided for all my needs, then I wouldn't need to work.
Then I put your ass on a boat and drop you off in the middle of the pacific with a bologna sandwich and life vest.
Others would see me not working and decide to follow suit.
I imagine most people would rather be productive than have die of exposure.
This trait is called greed and you will never be able to take it out of the equation.
Greed only exists because there is incentive to do so. Remove the incentive and you remove the greed.
And this is where someone goes on about how no one would have the incentive to invent new things, but that's only because we assume the only motivation in monetary gain. While in reality most true inventions happen because the inventor actually wants to use his invention.
Re:What can be done? Nothing. (Score:2, Interesting)
Read this. [mises.org]
Re:Get a credit card (Score:5, Interesting)
Re:What can be done? Nothing. (Score:2, Interesting)
I have fell victim to this from a hotel in Rio Grand de Norte in Brazil where when I checked out with my debit card used my pin (covered my hand) and fly back to Rio de Janeiro. By the time I had arrived my account was cleaned out as someone had made a duplicate card and bought shoes, jewelry and even hit the ATM machine and withdrew cash. I showed my airline ticket and the money was returned.
The second time I used my CHIP and PIN card from my UK bank account thinking I was safe. Well guess what the CHIP and PIN is a dog and pony show! I used a UOB ATM machine and someone was able to duplicate my card and use my PIN with a new NON CHIP and PIN card and wipe my account out. Meaning the system doesn't verify if the CHIP is in place it only uses it assuming one is on the card. Once again some fancy new sneakers, jewelry, cash from the ATM and even had a movie at my expense.
I will tell you it took well over a month to get the money back but in each instance the money was returned.
I now rarely use my DEBIT cards for anything and I make damn sure there is no money in the account (second non-linked account) and if I want to make a large transaction I just move the money make the transaction and be done with it. My other option is good ole american express.. I can pull up to a 1000 pounds a day and while it can be expensive as long as you pay promptly its not too bad.
Just my 2 cents!
Re:What can be done? Nothing. (Score:5, Interesting)
Interestingly enough, your post highlights a potential risk in the way Slashdot shortens the square bracket preview of long URLs. Example of what I mean [securebank...online.com]
Re:What can be done? Nothing. (Score:4, Interesting)
a nice low tech fix (Score:3, Interesting)
Re:What can be done? Nothing. (Score:3, Interesting)
Hehe I noticed that as a foreigner visiting America.
Obviously I didn't want to use my debit card from my home bank for every transaction since I would incur a currency exchange fee every time. So I generally used cash (and this was mostly in large denominations like 50s and 100s, since thats what they give you when you get your money changed at the airport).
The first thing I noticed was the signs at various shops saying "we don't accept 100s". This was 'new' to me. At home, money is money, and has to be accepted for a payment (it's legal tender after all). I don't think the retailer has a right to refuse you paying with particular denominations (although I suppose they can refuse to trade with you altogether which has the same effect). Having said that, I suppose the reason for this might not be related to counterfeiting at all - it could simply be that they don't like to count out a large amount of change (slows down the line etc).
The second thing I noticed was the weird looks they gave you paying in 100s, or in some cases, even 50s. Wtf...
The third thing I noticed was all the weird little things they did to check for forgeries ... running it between their fingers, the UV light, etc etc. Some places even had little machines to check the bills. At home (Australia FWIW), I've NEVER seen anyone check a bill for authenticity (not even in a cursory fashion) ... hell they barely even glance at it. Probably mostly because Australian bills are considered among the most secure in the world (they are polymer rather than linen/paper, and virtually unforgeable).
I think it's just one of those cultural things though. At home people use $50s and $100s all the time and it's not considered unusual at all. Noone even raises an eyelid. 50s are especially common since Australian ATMs dish out both 50s and 20s (so you can make withdrawals of 20, 40, 50, 70, 80, 90, 100 etc).
Of course it's not as bad as in Europe. Last time I travelled there the currency changer gave me a 500 Euro note. I'm sure dishing out change for that annoyed whoever I ended up giving it to.
Re:What can be done? Nothing. (Score:3, Interesting)
Same thing happens in the US.
http://www.schneier.com/blog/archives/2010/02/another_debit_c.html [schneier.com]
Never, never, EVER punch your PIN into a pad that is not attached to an ATM machine that is owned by your financial institution. And even then, pay close attention.
http://www.krebsonsecurity.com/2010/03/would-you-have-spotted-this-atm-fraud/ [krebsonsecurity.com]
Cash is looking better all the time.